HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, December 2009)

ManualsBrandsHP ManualsStorageHP StorageWorks 4/32B SAN Switch

141

142

143

144

145

146

147

148

149

150

142 Configuring advanced security features

Overview of steps

1. Optional: Configure RADIUS server

2. Optional: Configure authentication protocols

3. For LDAP only: Install SSL certificate on Microsoft Active Directory server and CA certificate on the

switch for using LDAP authentication.

4. Block Telnet, HTTP, and RPC

5. Disable BootProm access

6. Configure the switch for signed firmware

7. Disable root access

8. Enable FIPS

To enable FIPS mode:

1. Log in to the switch using an account assigned the admin or securityAdmin role.

2. Optional: Select the appropriate method based on your needs:

• If the switch is set for RADIUS, modify each server to use only peap-mschapv2 as the authentication

protocol, issuing the aaaConfig

--change or aaaConfig --remove command.

• If the switch is set for LDAP, see the instructions in ”To set up LDAP for FIPS mode:” on page 139.

3. Optional: Set the authentication protocols.

a. Issue the following command to set the hash type for MD5 which is used in authentication protocols

DHCHAP and FCAP:

authutil --set -h sha1

b. Set the DH group to 1 or 2 or 3 or 4, by issuing the command authUtil --set -g <n>, where

the DH group is represented by <n>.

4. Install the LDAP CA certificate on the switch and Microsoft Active Directory server. See the instructions

”LDAP certificates for FIPS mode” on page 140.

5. Block Telnet, HTTP, and RPC by issuing the ipfilter policy command.

You will need to create an IPFilter policy for each protocol.

a. Create an IP filter rule for each protocol, see ”Creating an IP Filter policy” on page 124.

b. Add a rule to the IP filter policy. You can use the following modifications to the rule:

ipfilter --addrule <policyname> -rule <rule_number> -sip <source_IP> -dp

<dest_port> -proto <protocol> -act <deny>

where:

• -sip option can be given as any

•

-dp option for the port numbers for Telnet, HTTP, and RPC are 23, 80, and 898 respectively

• -proto option should be set to tcp

c. Activate the IP filter policy, see ”Activating an IP Filter policy” on page 125.

d. Save the IP filter policy, see ”Saving an IP Filter policy” on page 125.

Example:

ipfilter --createrule http_block_v4 --type ipv4

ipfilter --addrule http_block_v4 -rule 2 -sip any -dp 80 -proto tcp -act deny

ipfilter --activate http_block_v4

ipfilter --save http_block_v4

6. Issue the following command to block access to the boot PROM:

fipscfg –-disable bootprom

Block boot PROM access before disabling root account.

7. Enable signed firmware by issuing the configure command and responding to the prompts as

follows:

System services No

cfgload attributes Yes